InfoSecBulletin Cybersecurity for mankind
On April 15, 2025, Oracle released a Critical Patch Update for 378 flaws for its products. The patch update covers databases, middleware, cloud services, and communication applications essential for global financial institutions, telecom providers, and cloud-native platforms.
Key Highlights:
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
Oracle Communications Applications had 42 new security updates, including 35 vulnerabilities that can be exploited remotely without authentication.
Oracle Commerce released 6 new patches, including five critical remote code execution vulnerabilities, like CVE-2025-24813 (CVSS 9.8), which impact Apache Tomcat in the Guided Search component.
Oracle Database Server received 7 new patches, including 3 that are remotely exploitable, like CVE-2025-30736, which affects Java VM.
Oracle GoldenGate and TimesTen In-Memory Database both had several serious vulnerabilities, including CVEs related to Axios, Apache Commons IO, and Netty.
Critical Vulnerability Statistics:
Total vulnerabilities addressed: 378
Unique CVEs fixed (excluding duplicates across products): 171
Remotely exploitable without authentication: 255 vulnerabilities
High-severity issues (CVSS v3.1 score ≥ 7.0): 162 vulnerabilities
CVSS ≥ 9.0 (Critical): 40 vulnerabilities
CVSS 9.8 (very high severity): 30 vulnerabilities
No CVSS 10.0 vulnerabilities were reported
The CPU affects a wide swath of Oracle offerings, including:
Oracle Database Server (versions 19.3–23.7)
Oracle Communications Suite (Unified Assurance, Messaging Server, Network Integrity)
Oracle GoldenGate, Graph Server, Essbase, Secure Backup
Oracle Java SE, Fusion Middleware, SOA Suite, WebLogic Server
Retail, Financial Services, E-Business Suite, PeopleSoft, and more
Oracle reiterates in its advisory that “attackers have been successful because targeted customers had failed to apply available Oracle patches.” The company urges users to remain on actively supported versions and apply the updates without delay.
Oracle advises organizations that are behind on patch cycles to upgrade to supported versions, as older versions likely contain vulnerabilities.
